European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting

摘要

The European Union has finally adopted data protection law reform, and now is the time for companies to adapt to the new landscape before the GDPR applies in May 2018. Many of the GDPR's provisions address companies' compliance obligations and require greater accountability and recordkeeping. Some provisions may require changes to internal organization (e.g., DPOs, DPIAs, and procedures that allow for proper data breach notifications). The United Kingdom's DPA issued a checklist of steps to prepare for the GDPR. These include raising awareness, documenting held personal data, reviewing privacy notices to bring them into conformity with the GDPR, checking that procedures cover all data subject rights and adapting them to cover handling data subject requests, identifying legal bases for processing, implementing systems to verify ages of children and to gather parental or guardian consent, implementing procedures regarding data breaches, designating DPOs if required, and identifying any applicable supervisory authorities. With respect to cross-border personal data transfers, companies may now self-certify under the Privacy Shield. They should monitor developments regarding the right to delisting, as this affects access to information on the Internet. In conclusion, it is clear that EU data protection and privacy law reform over the past year will necessarily require adaptation by companies and others for years to come.